Privacy Policy

Effective date: 1 April 2025 · VeridoxaScholar

GDPR Compliance Notice

VeridoxaScholar is operated in accordance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. You have specific rights over your personal data — including the right to access, export, correct, and erase it — which you can exercise at any time from your account settings or by contacting us at admin@veridoxascholar.com.

Self-service data export: authors may download a ZIP of JSON summaries (profile, memberships, your submitted manuscripts as recorded against your account, reviewer assignment metadata, recent notifications, and prior deletion requests). It does not include manuscript file binaries, full editorial correspondence, or manuscripts where another user is the submitting account.

1. Who We Are

VeridoxaScholar is an academic journal management platform operated by Veridoxa Ltd. For the purposes of GDPR, Veridoxa Ltd is the data controller for personal data processed via this platform. Journals hosted on this platform may act as joint controllers in relation to manuscript data submitted to their editorial workflow.

Contact our privacy team: admin@veridoxascholar.com

2. What Personal Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, password (hashed), institutional affiliation, country, ORCID iD.
  • Profile data: biography, research interests, department, phone (optional), avatar image.
  • Submission data: manuscripts, cover letters, author metadata, revision histories, peer-review correspondence.
  • Review activity: review assignments, completed reviews, editorial decisions (blinded per journal policy).
  • Usage data: log-in timestamps, IP addresses, browser user-agent strings (retained 90 days).
  • Payment data: billing name, email, country. Card details are processed by Stripe; we do not store raw card numbers.
  • Pre-account publisher and journal application (intake) data: when you use the public application form (for example at /scholar/apply) without logging in, we collect the details you enter — typically contact name, email address, optional role, organisation or institution, phone, free-text notes, proposed publisher or journal names and related descriptive fields, and (for transfer enquiries) contextual information such as current platform, URLs, and ISSN-related notes. Technical data such as IP address may be processed for security and rate limiting in line with our legitimate interests.

3. Legal Basis & Why We Process Your Data

  • Contract performance: to provide editorial workflow, author/reviewer accounts, and platform services you have signed up for.
  • Legitimate interest: platform security, fraud prevention, and abuse detection.
  • Consent: analytics cookies (you can withdraw consent at any time via the banner or your browser).
  • Legal obligation: invoicing, tax records, and responding to lawful requests from authorities.
  • Pre-contractual steps and legitimate interest (intake): to receive, evaluate, and respond to publisher and journal applications submitted before you have an account; to assign and communicate using a reference code; to prevent abuse of unauthenticated intake (including rate limiting); and to maintain records of our decisions and related platform operations.

4. Cookies & Tracking

We use two categories of cookies:

  • Essential cookies (always active): session authentication tokens, CSRF protection tokens, and load-balancer routing cookies. These are strictly necessary for the platform to function and cannot be disabled.
  • Analytics cookies (consent required): error monitoring (Sentry), and platform usage analytics. These are only activated if you select "Accept All" in the consent banner. You can change your preference at any time by clearing your browser's local storage or visiting cookie settings.

5. Who We Share Your Data With

  • Stripe — payment processing (EU-US Data Privacy Framework).
  • Resend / SMTP provider — transactional email delivery.
  • Sentry — error monitoring (personal data is minimised in crash reports).
  • ORCID — when you connect your ORCID iD, your public ORCID record is fetched.
  • Journal editors — manuscript authors and reviewers share data within the editorial workflow of each journal they engage with.
  • Authorised platform staff — intake applications are accessible to a limited set of platform operators (for example Super Admin review) solely to assess and administer your request. Submitting the intake form does not by itself publish your data on a public journal site.

We do not sell or rent your personal data to third parties under any circumstances.

6. Data Retention

  • Active account data is retained as long as your account is open.
  • Published manuscript metadata is retained indefinitely as part of the scholarly record.
  • Access logs are purged after 90 days.
  • Upon account deletion, personal profile data is erased within 30 days; anonymised manuscript contribution records are retained for archival purposes unless you request otherwise.
  • Pre-account application (intake) records are retained for as long as needed to evaluate and administer your request, operate follow-up workflows (such as internal review or provisioning decisions), resolve disputes, and meet legal or regulatory obligations. The duration depends on the status and outcome of your application; we do not retain these records for unsolicited marketing on the basis of this form alone.

7. Your Rights Under GDPR

As a data subject under GDPR you have the following rights:

Right of Access
Download all your personal data at any time from your profile page.
Right to Rectification
Correct inaccurate data in your account settings.
Right to Erasure
Request deletion of your account and personal data via your profile page.
Right to Portability
Export your data as a structured JSON archive (ZIP).
Right to Object
Object to processing based on legitimate interest by contacting us.
Right to Restrict
Request we limit processing while a dispute is resolved.

To exercise any right, use the self-service tools in your profile settings or email admin@veridoxascholar.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g., the ICO in the UK, or your local EU DPA).

If you submitted a publisher or journal application without a platform account, you can still exercise applicable GDPR rights (including access, rectification, erasure, and objection where relevant) by emailing admin@veridoxascholar.com. Please include your application reference code if you have one, so we can locate your record.

8. International Data Transfers

Your data may be processed on servers located in the EU, UK, or USA. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions). Our cloud infrastructure provider maintains EU-region options and we prioritise EU data residency where available.

9. Security

Passwords are hashed using bcrypt. Connections are encrypted with TLS. Access controls follow role-based permissions. We conduct periodic security reviews and respond to vulnerability reports promptly. In the event of a personal data breach that risks your rights and freedoms, we will notify you and the relevant DPA within 72 hours.

10. Changes to This Policy

We may update this policy to reflect changes in the platform or legal requirements. We will notify registered users by email for material changes and update the effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

Veridoxa Ltd · Privacy enquiries: admin@veridoxascholar.com

← Back to PlatformManage My Data